| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Fixes a minor bug in behavior when is_selinux_enabled()
returned negative value.
* modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro.
(unix_update_shadow): Safe cast forwho to non-const char *.
* modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
|
| |
|
|
|
|
|
| |
* modules/pam_env/Makefile.am: Add the environment.5 soelim stub.
* modules/pam_env/pam_env.8.xml: Add environ(7) reference.
* modules/pam_env/pam_env.conf.5.xml: Add environment alias name.
Add a paragraph about /etc/environment. Add environ(7) reference.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
is on and return value data is not set to PAM_SUCCESS then ignore
PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
return value data.
(pam_sm_setcred): Test for likeauth option and use the return value data
only if set.
* modules/pam_unix/support.h: Add the no_pass_expiry option.
|
| |
|
|
|
| |
* modules/pam_unix/passverify.c (create_password_hash): Change the
salt length for new hashes to 16 characters.
|
| |
|
|
|
|
|
| |
The PAM library calls will not fail anymore for any uid if the return
value from the libaudit call is -EPERM.
* libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0.
|
| |
|
|
|
| |
* modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
(tally_check): Always log the tally count with debug option.
|
| |
|
|
| |
* doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog().
|
| |
|
|
|
| |
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message
if required auditd is not detected.
|
| |
|
|
| |
* configure.ac: If w3m is not found check for links.
|
| |
|
|
| |
* doc/man/pam_misc_setenv.3.xml: Add a missing space.
|
| |
|
|
|
| |
* modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of
passwd permission.
|
| |
|
|
|
|
|
| |
* modules/pam_timestamp/hmacsha1.c(hmac_key_create):
close 'keyfd' when failed to own it.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security fix: CVE-2015-3238
If the process executing pam_sm_authenticate or pam_sm_chauthtok method
of pam_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the _unix_run_helper_binary function is called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.
With this fix, the verifiable password length will be limited to
PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
* NEWS: Update
* configure.ac: Bump version
* modules/pam_exec/pam_exec.8.xml: document limitation of password length
* modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
* modules/pam_unix/pam_unix.8.xml: document limitation of password length
* modules/pam_unix/pam_unix_passwd.c: limit password length
* modules/pam_unix/passverify.c: Likewise
* modules/pam_unix/passverify.h: Likewise
* modules/pam_unix/support.c: Likewise
|
| | |
|
| |
|
|
|
|
|
|
| |
* NEWS: Update
* configure.ac: Bump version
* libpam/Makefile.am: Bump version of libpam
* libpam_misc/Makefile.am: Bump version of libpam_misc
* po/*: Regenerate po files
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch by Louis Sautier
* doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors.
* doc/man/pam.3.xml: Likewise.
* doc/man/pam_acct_mgmt.3.xml: Likewise.
* doc/man/pam_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* modules/pam_limits/limits.conf.5.xml: Likewise.
* modules/pam_mail/pam_mail.8.xml: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_shells/pam_shells.8.xml: Likewise.
* modules/pam_tally/pam_tally.8.xml: Likewise.
* modules/pam_tally2/pam_tally2.8.xml: Likewise.
* modules/pam_unix/pam_unix.8.xml: Likewise.
|
| |
|
|
|
|
|
|
|
| |
messages from session.
* modules/pam_unix/pam_unix.8.xml: Document new option.
* modules/pam_unix/support.h: Add quiet option.
* modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if
'quiet' option is set.
|
| |
|
|
|
|
|
| |
* modules/pam_unix/passverify.c (create_password_hash): Call crypt_r()
instead of crypt() if available.
* modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r()
instead of crypt() if available.
|
| |
|
|
|
|
|
|
| |
(Ticket#34, patch from ay Sievers <kay@vrfy.org>)
* doc/man/pam.8.xml: document additonal config directory
* libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory
* libpam/pam_private.h: adjust defines
|
| |
|
|
|
|
|
|
| |
(Ticket#24 and #29)
* modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries
* modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL}
* modules/pam_env/pam_env.8.xml: Enhance documentation
|
| |
|
|
|
|
|
|
|
| |
(Ticket #39)
* modules/pam_access/access.conf.5.xml
* modules/pam_access/pam_access.8.xml
Signed-off-by: Karl O. Pinc <kop at meme.com>
|
| |
|
|
| |
* modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.
|
| |
|
|
| |
* modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.
|
| |
|
|
| |
* modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.
|
| |
|
|
|
| |
* libpam/pam_delay.c: Change 25% in comment to 50% as used in code.
* doc/man/pam_fail_delay.3.xml: Change 25% to 50%
|
| |
|
|
| |
* po/*.po: Updated translations from Transifex.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Raise gettext requirement to the latest oldstable version 0.18.3.
This fixes the following automake warning:
configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged.
configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead,
configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files.
* configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3.
* po/Makevars: Update from gettext-0.18.3.
|
| |
|
|
|
|
|
| |
Enable all automake warning flags except for the portability issues,
since non portable features are used among the makefiles.
* configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability.
|
| |
|
|
|
|
|
| |
This fixes the following automake warning:
aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
* configure.in: Rename to configure.ac.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These files are part of GNU gettext; we have not modified them, they are
installed by autopoint which is called by autoreconf, so they had to be
removed from this repository along with ABOUT-NLS, config.rpath, and
mkinstalldirs files that were removed by commit
Linux-PAM-1_1_5-7-g542ec8b.
* po/Makefile.in.in: Remove.
* po/Rules-quot: Likewise.
* po/boldquot.sed: Likewise.
* po/en@boldquot.header: Likewise.
* po/en@quot.header: Likewise.
* po/insert-header.sin: Likewise.
* po/quot.sed: Likewise.
* po/remove-potcdate.sin: Likewise.
* po/.gitignore: Ignore these files.
|
| |
|
|
| |
* .gitignore: Ignore *.log and *.trs files.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_get_authtok() may be used any time that a password needs to be entered,
unlike pam_get_authtok_{no,}verify(), which may only be used when
changing a password; yet when the user aborts, it prints "Password change
aborted." whether or not that was the operation being performed.
This bug was non-obvious because none of the modules distributed with
Linux-PAM use it for anything but changing passwords; pam_unix has its
own utility function that it uses instead. As an example, the
nss-pam-ldapd package uses it in pam_sm_authenticate().
libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
password is trying to be changed before printing a message about the
password change being aborted.
|
| |
|
|
|
|
|
|
|
|
| |
Use BUILD_CPPFLAGS variable to override CPPFLAGS where necessary in
case of cross compiling, in addition to CC_FOR_BUILD, BUILD_CFLAGS,
and BUILD_LDFLAGS variables introduced earlier to override CC,
CFLAGS, and LDFLAGS, respectively.
* configure.in (BUILD_CPPFLAGS): Define.
* doc/specs/Makefile.am (CPPFLAGS): Define to @BUILD_CPPFLAGS@.
|
| |
|
|
|
|
|
|
|
|
|
| |
Our scanners do not really use yywrap. Explicitly disable yywrap
so that no references to yywrap will be generated and no LEXLIB
would be needed.
* conf/pam_conv1/Makefile.am (pam_conv1_LDADD): Remove.
* conf/pam_conv1/pam_conv_l.l: Enable noyywrap option.
* doc/specs/Makefile.am (padout_LDADD): Remove.
* doc/specs/parse_l.l: Enable noyywrap option.
|
| |
|
|
| |
* doc/man/pam_authenticate.3.xml: Fix a typo in PAM_AUTHINFO_UNAVAIL.
|
| |
|
|
| |
* doc/man/pam_authenticate.3.xml: Fix typo.
|
| |
|
|
|
| |
modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST
and PAM_TTY properly for the rhost and tty values.
|
| |
|
|
|
|
|
|
|
| |
The currently used long with additional conversion to int is
too small for uids and gids.
modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace
strtol() with strtoll() and int with long long in the parameters
of comparison functions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The grantor field gives audit trail of PAM modules which granted access
for successful return from libpam calls. In case of failed return
the grantor field is set to '?'.
libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
libpam/pam_password.c (pam_chauthtok): Likewise.
libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
add grantor= field to the message if grantors is set.
(_pam_list_grantors): New function creating the string with grantors list.
(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
to list the grantors from the handler list.
(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
(_pam_clear_grantors): New function to clear grantor field of handler.
(_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
Call _pam_auditlog() when appropriate.
libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
or just "?" to avoid confusing audit trail.
(_pam_add_handler): Test for NULL return from extract_modulename().
Clear grantor field of handler.
libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
parameter to _pam_auditlog().
|
| |
|
|
|
| |
modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous
stat() call.
|
| |
|
|
|
| |
modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to
STDOUT_FILENO if needed.
|
| |
|
|
| |
modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails.
|
| |
|
|
| |
modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails.
|
| |
|
|
| |
modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases.
|
| |
|
|
|
| |
modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also
msg_flags.
|
| |
|
|
|
|
| |
Problem found by Robin Hack <rhack@redhat.com>.
modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size
just try to read it.
|
| |
|
|
|
| |
* modules/pam_access/pam_access.c (login_access): Reorder condition
so line is not accessed when uninitialized.
|
| |
|
|
|
| |
modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login
structure before use.
|
| |
|
|
|
|
|
| |
* modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields
in opasswd entry and return error.
* modules/pam_unix/passverify.c (save_old_password): Test for missing fields
in opasswd entry and skip it.
|
| |
|
|
|
| |
* doc/man/Makefile.am [ENABLE_REGENERATE_MAN]: Add dependencies for
pam_verror.3, pam_vinfo.3, pam_vprompt.3, and pam_vsyslog.3 soelim stubs.
|
